Mo fẹ lati pin pẹlu agbegbe ni ọna ti o rọrun ati ṣiṣe ti bii o ṣe le lo Mikrotik lati daabobo nẹtiwọọki rẹ ati awọn iṣẹ “peeping jade” lati ẹhin rẹ lati awọn ikọlu ita. Eyun, awọn ofin mẹta nikan lati ṣeto oyin kan lori Mikrotik.
Nitorinaa, jẹ ki a fojuinu pe a ni ọfiisi kekere kan, pẹlu IP ita lẹhin eyiti o wa olupin RDP kan fun awọn oṣiṣẹ lati ṣiṣẹ latọna jijin. Ofin akọkọ jẹ, dajudaju, lati yi ibudo 3389 pada lori wiwo ita si ọkan miiran. Ṣugbọn eyi kii yoo pẹ to; lẹhin ọjọ meji diẹ, iwe iṣayẹwo olupin ebute yoo bẹrẹ lati ṣafihan ọpọlọpọ awọn aṣẹ ti o kuna fun iṣẹju-aaya lati ọdọ awọn alabara ti a ko mọ.
Ipo miiran, o ni aami akiyesi ti o farapamọ lẹhin Mikrotik, dajudaju kii ṣe lori ibudo udp 5060, ati lẹhin ọjọ meji, wiwa ọrọ igbaniwọle tun bẹrẹ… bẹẹni, bẹẹni, Mo mọ, fail2ban jẹ ohun gbogbo wa, ṣugbọn a tun ni lati ṣiṣẹ. lori rẹ… fun apẹẹrẹ, Mo ti fi sii laipẹ lori ubuntu 18.04 ati pe o yà mi lati ṣawari pe lati inu apoti fail2ban ko ni awọn eto lọwọlọwọ fun aami akiyesi lati apoti kanna ti pinpin ubuntu kanna… ati awọn eto iyara googling fun Awọn ilana “awọn ilana” ti a ti ṣetan ko ṣiṣẹ mọ, awọn nọmba fun awọn idasilẹ n dagba ni awọn ọdun, ati awọn nkan pẹlu “awọn ilana” fun awọn ẹya atijọ ko ṣiṣẹ mọ, ati pe awọn tuntun fẹrẹ ko han… Ṣugbọn Mo digress…
Nitorinaa, kini ikoko oyin ni kukuru - o jẹ ikoko oyin kan, ninu ọran wa, eyikeyi ibudo olokiki lori IP ita, eyikeyi ibeere si ibudo yii lati ọdọ alabara ita kan firanṣẹ adirẹsi src si akojọ dudu. Gbogbo.
/ip firewall filter
add action=add-src-to-address-list address-list="Honeypot Hacker"
address-list-timeout=30d0h0m chain=input comment="block honeypot ssh rdp winbox"
connection-state=new dst-port=22,3389,8291 in-interface=
ether4-wan protocol=tcp
add action=add-src-to-address-list address-list="Honeypot Hacker"
address-list-timeout=30d0h0m chain=input comment=
"block honeypot asterisk" connection-state=new dst-port=5060
in-interface=ether4-wan protocol=udp
/ip firewall raw
add action=drop chain=prerouting in-interface=ether4-wan src-address-list=
"Honeypot Hacker"
Ofin akọkọ lori awọn ibudo TCP olokiki 22, 3389, 8291 ti wiwo ita ether4-wan firanṣẹ “alejo” IP si atokọ “Honeypot Hacker” (awọn ibudo fun ssh, rdp ati winbox jẹ alaabo ni ilosiwaju tabi yipada si awọn miiran). Ekeji ṣe kanna lori UDP 5060 olokiki.
Ofin kẹta ni ipele iṣaju-iṣaaju silẹ awọn apo-iwe lati “awọn alejo” ti adiresi srs wọn wa ninu “Hacker Honeypot”.
Lẹhin ọsẹ meji ti ṣiṣẹ pẹlu Mikrotik ile mi, atokọ “Honeypot Hacker” to wa nipa awọn adirẹsi IP kan ati idaji ti awọn ti o nifẹ lati “di mu nipasẹ udder” awọn orisun nẹtiwọọki mi (ni ile nibẹ ni tẹlifoonu ti ara mi, meeli, nextcloud, rdp).Apa-pa-pa-pa-pa duro, ayọ de.
Ni iṣẹ, kii ṣe ohun gbogbo ni o rọrun pupọ, nibẹ ni wọn tẹsiwaju lati fọ olupin rdp nipasẹ awọn ọrọ igbaniwọle fipa mu.
Nkqwe, nọmba ibudo jẹ ipinnu nipasẹ scanner ni pipẹ ṣaaju titan oyin, ati lakoko quarantine ko rọrun pupọ lati tunto diẹ sii ju awọn olumulo 100, eyiti 20% ti ju ọdun 65 lọ. Ninu ọran nigbati ibudo ko le yipada, ohunelo iṣẹ kekere kan wa. Mo ti rii ohunkan ti o jọra lori Intanẹẹti, ṣugbọn afikun afikun wa ati atunṣe to dara pẹlu:
Awọn ofin fun atunto Port knocking
/ip firewall filter
add action=add-src-to-address-list address-list=rdp_blacklist
address-list-timeout=15m chain=forward comment=rdp_to_blacklist
connection-state=new dst-port=3389 protocol=tcp src-address-list=
rdp_stage12
add action=add-src-to-address-list address-list=rdp_stage12
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage11
add action=add-src-to-address-list address-list=rdp_stage11
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage10
add action=add-src-to-address-list address-list=rdp_stage10
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage9
add action=add-src-to-address-list address-list=rdp_stage9
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage8
add action=add-src-to-address-list address-list=rdp_stage8
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage4
add action=add-src-to-address-list address-list=rdp_stage7
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage6
add action=add-src-to-address-list address-list=rdp_stage6
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage5
add action=add-src-to-address-list address-list=rdp_stage5
address-list-timeout=4m chain=forward connection-state=new dst-port=
3389 protocol=tcp src-address-list=rdp_stage4
add action=add-src-to-address-list address-list=rdp_stage4
address-list-timeout=4m chain=forward connection-state=new dst-port=
3389 protocol=tcp src-address-list=rdp_stage3
add action=add-src-to-address-list address-list=rdp_stage3
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage2
add action=add-src-to-address-list address-list=rdp_stage2
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp src-address-list=rdp_stage1
add action=add-src-to-address-list address-list=rdp_stage1
address-list-timeout=4m chain=forward connection-state=new dst-port=3389
protocol=tcp
/ip firewall raw
add action=drop chain=prerouting in-interface=ether4-wan src-address-list=
rdp_blacklist
Ni awọn iṣẹju 4, alabara latọna jijin gba laaye lati ṣe “awọn ibeere” tuntun 12 nikan si olupin RDP. Igbiyanju iwọle kan jẹ lati 1 si 4 “awọn ibeere”. Ni 12th "ìbéèrè" - ìdènà fun 15 iṣẹju. Ninu ọran mi, awọn ikọlu ko dawọ jija olupin naa, wọn ṣatunṣe si awọn aago ati bayi ṣe o laiyara pupọ, iru iyara yiyan dinku imunadoko ikọlu si odo. Awọn oṣiṣẹ ile-iṣẹ naa ni iriri fere ko si aibalẹ ni iṣẹ lati awọn igbese ti o mu.
Ẹtan kekere miiran
Ofin yii wa ni titan ni ibamu si iṣeto kan ni 5 owurọ o si wa ni pipa ni XNUMX owurọ, nigbati awọn eniyan gidi ba sun oorun, ati pe awọn oluya adaṣe tẹsiwaju lati ji.
/ip firewall filter
add action=add-src-to-address-list address-list=rdp_blacklist
address-list-timeout=1w0d0h0m chain=forward comment=
"night_rdp_blacklist" connection-state=new disabled=
yes dst-port=3389 protocol=tcp src-address-list=rdp_stage8Tẹlẹ lori asopọ 8th, IP ti o kọlu naa ti ni akojọ dudu fun ọsẹ kan. Ẹwa!
O dara, ni afikun si eyi ti o wa loke, Emi yoo ṣafikun ọna asopọ kan si nkan Wiki pẹlu iṣeto iṣẹ kan fun aabo Mikrotik lati awọn aṣayẹwo nẹtiwọọki.
Lori awọn ẹrọ mi, eto yii n ṣiṣẹ papọ pẹlu awọn ofin ikoko oyin ti a ṣalaye loke, ni ibamu pẹlu wọn daradara.
UPD: Gẹgẹbi a ti daba ninu awọn asọye, ofin sisọ silẹ soso ti gbe lọ si RAW lati dinku ẹru lori olulana naa.
orisun: www.habr.com